From 8860af3b4ca8542f8ff6a8a3e54470439e79033f Mon Sep 17 00:00:00 2001
From: Yonghua Huang <yonghua.huang@intel.com>
Date: Thu, 25 Oct 2018 22:53:03 +0800
Subject: [PATCH] dm: fix possible buffer overflow in 'acrn_load_elf()'

  Will attempt to access element 2048..2049 of
  array "ptr32" if below conditions are both true:
  1) ptr32[i] == MULTIBOOT_HEAD_MAGIC
  2) (i == (ELF_BUF_LEN/4) - 1)

Tracked-On: #1252
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Fengwei Yin <fengwei.yin@intel.com>
---
 devicemodel/core/sw_load_elf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devicemodel/core/sw_load_elf.c b/devicemodel/core/sw_load_elf.c
index 61057450d..0937e9972 100644
--- a/devicemodel/core/sw_load_elf.c
+++ b/devicemodel/core/sw_load_elf.c
@@ -194,7 +194,7 @@ acrn_load_elf(struct vmctx *ctx, char *elf_file_name, unsigned long *entry,
 	 * info prepared.
 	 */
 	ptr32 = (unsigned int *) elf_buf;
-	for (i = 0; i < ELF_BUF_LEN/4; i++) {
+	for (i = 0; i <= ((ELF_BUF_LEN/4) - 3); i++) {
 		if (ptr32[i] == MULTIBOOT_HEAD_MAGIC) {
 			int j = 0;
 			unsigned int sum = 0;